GNU Privacy Guard
| discontinued = | status = | programming language = C | operating system = Microsoft Windows, OS X, RISC OS, Android, Linux | platform = | size = | language = | language count = | language footnote = | genre = OpenPGP | license = GNU GPLv3 | alexa = | website = | standard = }} GNU Privacy Guard (GnuPG or GPG) is a free software replacement for Symantec's PGP cryptographic software suite. GnuPG is compliant with RFC 4880, which is the IETF standards track specification of OpenPGP. Modern versions of PGP and Veridis' Filecrypt are interoperable with GnuPG and other OpenPGP-compliant systems. GnuPG is part of the GNU project, and has received major funding from the German government. gnupg-wa GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 4880 (OpenPGP Message Format). GnuPG 1.4 is the standalone, non-modularized series. In contrast to the version 2 series, shipped with the gnupg2 package, it comes with no support for S/MIME and some other tools useful for desktop environments, but also with less dependencies. Version 1.6.5-2ubuntu0.2: * SECURITY UPDATE: random number generator prediction ** debian/patches/CVE-2016-6313-1.patch: improve the diagram showing the random mixing in random/random-csprng.c. ** debian/patches/CVE-2016-6313-2.patch: hash continuous areas in the csprng pool in random/random-csprng.c. * debian/rules: disable unaligned memory access on arm to fix FTBFS. Komponènts * gnupg: The gnupg package is built without libcurl. So it does not support HKPS keyservers. Install the gnupg-curl package if you want to use the keyserver helper tools built with libcurl and supporting HKPS. * gpgv: gpgv is a stripped-down version of gnupg which is only able to check signatures. It is smaller than the full-blown gnupg and uses a different (and simpler) way to check that the public keys used to make the signature are trustworthy. * libgcrypt: contains cryptographic functions. Many important free ciphers, hash algorithms and public key signing algorithms have been implemented: Arcfour, Blowfish, CAST5, DES, AES, Twofish, Serpent, rfc2268 (rc2), SEED, Camellia, IDEA, Salsa, CRC, MD4, MD5, RIPE-MD160, SHA-1, SHA-256, SHA-512, Tiger, Whirlpool, DSA, DSA2, ElGamal, RSA, ECC. Overview GnuPG is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version. The GnuPG 1.x series uses an integrated cryptographic library, while the GnuPG 2.x series replaces this with Libgcrypt. GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys may be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted. GnuPG also supports symmetric encryption algorithms. By default, GnuPG uses the CAST5 symmetrical algorithm. GnuPG does not use patented or otherwise restricted software or algorithms. Instead, GnuPG uses a variety of other, non-patented algorithms. For a long time it did not support the IDEA encryption algorithm used in PGP. It was in fact possible to use IDEA in GnuPG by downloading a plugin for it, however this might require a license for some uses in countries in which IDEA was patented. Starting with versions 1.4.13 and 2.0.20, GnuPG supports IDEA because the last patent of IDEA expired in 2012. Support of IDEA is intended "to get rid of all the questions from folks either trying to decrypt old data or migrating keys from PGP to GnuPG", and hence is not recommended for regular use. As of versions 2.0.26 and 1.4.18, GnuPG supports the following algorithms: * Pubkey: RSA, ElGamal, DSA * Cipher: IDEA (since versions 1.4.13 and 2.0.20), 3DES, CAST5, Blowfish, AES-128, AES-192, AES-256, Twofish, Camellia-128, -192 and -256 (since versions 1.4.10 and 2.0.12) * Hash: MD5, SHA-1, RIPEMD-160, SHA-256, SHA-384, SHA-512, SHA-224 * Compression: Uncompressed, ZIP, ZLIB, BZIP2 More recent releases of GnuPG 2.x ("stable" and "modern" series) expose most cryptographic functions and algorithms Libgcrypt (its cryptographic library) provides, including support for elliptic curve cryptography (ECDSA, ECDH and EdDSA) in the "modern" series (i.e. since GnuPG 2.1). History GnuPG was initially developed by Werner Koch. Version 1.0.0, which was the first production version, was released on September 7, 1999, almost two years after the first GnuPG release (version 0.0.0). The German Federal Ministry of Economics and Technology funded the documentation and the port to Microsoft Windows in 2000. GnuPG is a system compliant to the OpenPGP standard, thus the history of OpenPGP is of importance; it was designed to interoperate with PGP, the email encryption program initially designed and developed by Phil Zimmermann. On February 7, 2014, a GnuPG crowdfunding effort closed, raising 36,732 euros for a new web site and infrastructure improvements. Branches , there are three actively maintained branches of GnuPG: * "Stable" (2.0), stable version for general use, initially released on November 13, 2006. * "Modern" (2.1), containing the latest development with numerous new features such as elliptic curve cryptography; it will eventually replace the "stable" (2.0) branch. It was initially released on November 6, 2014. * "Classic" (1.4), older standalone version, most suitable for older or embedded platforms. Initially released on December 16, 2004. "Modern" (2.1) and "stable" (2.0) cannot be installed at the same time. However, it is possible to install "classic" (1.4) along with any GnuPG 2.x (i.e. "modern" or "stable") version. Before the release of GnuPG 2.0, all releases originated from a single branch; i.e. before November 13, 2006 no multiple release branches were maintained in parallel. These former, sequentially succeeding (up to 1.4) release branches were: * 1.2 branch, initially released on September 22, 2002, with 1.2.6 as the last version, released on October 26, 2004. * 1.0 branch, initially released on September 7, 1999, with 1.0.7 as the last version, released on April 30, 2002. Platforms Although the basic GnuPG program has a command-line interface, there exist various front-ends that provide it with a graphical user interface. For example, GnuPG encryption support has been integrated into KMail and Evolution, the graphical e-mail clients found in KDE and GNOME, the most popular Linux desktops. There are also graphical GnuPG front-ends, for example Seahorse for GNOME and KGPG for KDE. For the OS X, the MacGPG project provides a number of Aqua front-ends for OS integration of encryption and key management as well as GnuPG installations via Installer packages. Furthermore, the GPGTools Installer installs all related OpenPGP applications (GPG Keychain Access), plugins (GPGMail) and dependencies (MacGPG) to use GnuPG based encryption. Instant messaging applications such as Psi and Fire can automatically secure messages when GnuPG is installed and configured. Web-based software such as Horde also makes use of it. The cross-platform extension Enigmail provides GnuPG support for Mozilla Thunderbird and SeaMonkey. Similarly, Enigform provides GnuPG support for Mozilla Firefox. FireGPG was discontinued June 7, 2010. In 2005, g10 Code GmbH and Intevation GmbH released Gpg4win, a software suite that includes GnuPG for Windows, GNU Privacy Assistant, and GnuPG plug-ins for Windows Explorer and Outlook. These tools are wrapped in a standard Windows installer, making it easier for GnuPG to be installed and used on Windows systems. Limitations As a command-line-based system, GnuPG 1.x is not written as an API that may be incorporated into other software. To overcome this, ''GPGME (abbreviated from GnuPG Made Easy) was created as an API wrapper around GnuPG that parses the output of GnuPG and provides a stable and maintainable API between the components. This currently requires an out-of-process call to the GnuPG executable for many GPGME API calls; as a result, possible security problems in an application do not propagate to the actual crypto code due to the process barrier. Various graphical front-ends based on GPGME have been created. Since GnuPG 2.0, many of GnuPG's functions are available directly as C APIs in Libgcrypt. Vulnerabilities The OpenPGP standard specifies several methods of digitally signing messages. In 2003, due to an error in a change to GnuPG intended to make one of those methods more efficient, a security vulnerability was introduced.Phong Q. Nguyen "Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3." EUROCRYPT 2004: 555–570 It affected only one method of digitally signing messages, only for some releases of GnuPG (1.0.2 through 1.2.3), and there were fewer than 1000 such keys listed on the key servers.GnuPG's ElGamal signing keys compromised Werner Koch, November 27, 2003 Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, since none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GnuPG versions released after this discovery (1.2.4 and later). Two further vulnerabilities were discovered in early 2006; the first being that scripted uses of GnuPG for signature verification may result in false positives,False positive signature verification in GnuPG Werner Koch, February 15, 2006 the second that non-MIME messages were vulnerable to the injection of data which while not covered by the digital signature, would be reported as being part of the signed message.GnuPG does not detect injection of unsigned data, Werner Koch, March 9, 2006 In both cases updated versions of GnuPG were made available at the time of the announcement. Application support Applications, frontends and browser extensions that support GPG include the following: * Claws mail an email client with GPG plugin * Enigform a Firefox extension * Enigmail a Mozilla Thunderbird plug-in * FireGPG a Firefox extension (discontinued) * Gnus a message and news reader in GNU Emacs * Gpg4win a Windows package with tools and manuals for email and file encryption * GPGMail an OS X Mail.app plug-in * GPGServices an OS X Services Menu plug-in * GPGTools an OS X package with tools for email and file encryption (including GPGMail, GPG Keychain Access, MacGPG2, GPG Services etc.) * KGPG a KDE graphical frontend for GnuPG * KMail email client / email component of Kontact (PIM software), that uses GPG for cryptography * MCabber a Jabber client * Mutt an email client with PGP/GPG support built-in * Psi (instant messaging client) * WinPT a graphical frontend to GPG for Windows (discontinued) In popular culture In May 2014, The Washington Post reported on a 12-minute video guide "GPG for Journalists" posted to Vimeo in January 2013 by a user named anon108. The Post identified anon108 as fugitive NSA whistleblower Edward Snowden, who it said made the tutorial—"narrated by a digitally disguised voice whose speech patterns sound similar to those of Snowden"—to teach journalist Glenn Greenwald email encryption. Greenwald said that he could not confirm the authorship of the video. See also * Acoustic cryptanalysis * Key signing party * Off-the-Record Messaging – also known as OTR. * OpenPGP card – a smartcard with many GnuPG functions * Package manager * RetroShare - A friend-to-friend network based on PGP authentication. * Web of trust References Ikstörnol liŋks * * * A Short History of the GNU Privacy Guard, written by Werner Koch, published on GnuPG's 10th birthday Category:1999 software Category:Cross-platform software Category:Cryptographic software Privacy Guard Category:Linux security software Category:PGP Category:Privacy software